CVE-2023-28638
Buffer Overrun vulnerability in Snappier (NuGet)
What is CVE-2023-28638 About?
This is a buffer overrun vulnerability in Snappier 1.1.0 caused by an issue with byte references in memory management during garbage collection. Successful exploitation can lead to denial of service, though it is very difficult for an attacker to trigger intentionally. Malformed input data can slightly increase the chances of exploitation.
Affected Software
Technical Details
The vulnerability stems from changes in Snappier 1.1.0, where byte references are used instead of pointers. While intended for performance, these byte references briefly point outside valid buffer areas during range checks. If a .NET garbage collector (GC) compaction occurs precisely when a byte reference is outside the valid buffer or one byte past its end, the GC may move the buffer without updating the byte reference. This invalidates subsequent range checks, allowing other operations to overrun the buffer. Specifically, one problematic range check involves input data in the decompression buffer, meaning malformed input can influence the vulnerability.
What is the Impact of CVE-2023-28638?
Successful exploitation may allow attackers to cause a denial of service by terminating the affected process due to attempts to access protected memory.
What is the Exploitability of CVE-2023-28638?
Exploitation of this vulnerability is considered very difficult, requiring precise timing and specific conditions related to garbage collection. An attacker would need to conduct repetitive bulk attacks, hoping that a GC compaction occurs during the brief window when an invalid byte reference is on the stack. While no authentication is explicitly required, successful exploitation likely involves sending malformed input data to the decompression buffer. The attack is remote, but its success hinges on an internal memory management race condition, making it highly unreliable. The primary risk factor is the possibility of malformed input slightly increasing the chance of the specific timing condition being met.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-28638?
Available Upgrade Options
- Snappier
- >1.1.0, <1.1.1 → Upgrade to 1.1.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/brantburnett/Snappier
- https://github.com/brantburnett/Snappier/releases/tag/release%2F1.1.1
- https://github.com/brantburnett/Snappier/security/advisories/GHSA-838x-pcvx-6p5w
- https://github.com/brantburnett/Snappier/pull/73
- https://nvd.nist.gov/vuln/detail/CVE-2023-28638
- https://github.com/brantburnett/Snappier/commit/d7ac5267b5b18439e6d108f8138edf48c436b32f
- https://github.com/brantburnett/Snappier/security/advisories/GHSA-838x-pcvx-6p5w
- https://osv.dev/vulnerability/GHSA-838x-pcvx-6p5w
- https://github.com/brantburnett/Snappier/commit/d7ac5267b5b18439e6d108f8138edf48c436b32f
What are Similar Vulnerabilities to CVE-2023-28638?
Similar Vulnerabilities: CVE-2021-42307 , CVE-2020-1472 , CVE-2019-1064 , CVE-2018-8686 , CVE-2017-0105
